Re: Exploits matter.

[dave <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This raises an interesting question. What is a "public" exploit? Buying
CANVAS costs less than four thousand dollars and is (thankfully :>) a
reasonably common thing for companies to have. If a working, 100%
reliable exploit is in the hands of the ten thousand people who care,
shouldn't that be considered "public"?

It just seems weird to me that all the news articles on SMBv2 focus so
much on whether or not you can download a working version of the exploit
over the Internet, when all the people who could actually do anything
with it already had it.

- -dave

dan () geer org wrote:
>  >
>  > The summary is this: You may think increasing exploit costs
>  > is a simply good thing. But the side effect of relying on
>  > mitigations as opposed to software assurance is that it is
>  > getting extremely expensive to avoid being drowned in the
>  > noise.
>  >
>
> The other side effect is that for exploitable vulnerabilities
> a rising fraction are privately held as the probability that
> you will give away something is inversely proportional to what
> it cost you to obtain it.
>
>
> --dan
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkrMfBwACgkQtehAhL0gherNMwCfQXm3RGhLwk5ETO4DCgw/a257
CA4Aniz2UpfFjt08SWBNvw+UROkO2hup
=EizD
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave